RFR: 8277474: jarsigner does not check if algorithm parameters are disabled

Weijun Wang weijun at openjdk.java.net
Wed Mar 2 16:24:04 UTC 2022


On Tue, 22 Feb 2022 22:00:05 GMT, Hai-May Chao <hchao at openjdk.org> wrote:

> This fixes jarsigner to enforce checking against algorithm constraint properties so when the signature algorithms parameters use disabled or legacy algorithms, it will emit warnings accordingly. If the algorithm used in parameters is disabled, jarsigner treats the jar as unsigned.

src/jdk.jartool/share/classes/sun/security/tools/jarsigner/Main.java line 1414:

> 1412:             } catch (CertPathValidatorException e) {
> 1413:                 disabledAlgFound = true;
> 1414:                 return String.format(rb.getString("with.disabled"), algParams);

The return value should still be the algorithm name with an optional "weak" (or "disabled") tag, something like "RSASSA-PSS (weak)". However, the updated code is now returning the string format of `algParams`, which will be "PSSParameter... (weak)".

I'm not sure how to fix this nicely. Certainly you want to show the user why it is weak so the weak part should be displayed. A verbose solution could be "RSSSSA-PSS using PSSParameterSpec(SHA-256) (weak)". Hopefully the `toString()` output of `PSSParameterSpec` is not too ugly.

-------------

PR: https://git.openjdk.java.net/jdk/pull/7582



More information about the security-dev mailing list